Dieter - thanks for the reply. I was able to get the group thing working with just one additional "GroupMember" role. Basically, each GRUF group (Group_CustA, Group_CustB) takes on a local role of "GroupMember" within their own directory, and in that way, members of Group_CustA cannot get into the CustomerB/ folder, since they are not members of Group_CustB. However, there is an odd twist that I cannot figure out. when the URL is: http://blah.com/Customers/CustomerA/index_html everything works fine. However, when it is: http://blah.com/Customers/CustomerA/ the insufficient privileges message comes up for any user, even owners and managers. When I set all of the permissions to "Acquire", everybody can view the second URL just fine (which opens the index_html, as it should), but then, of course, no permission control is in place against the various customer folders. What is the permission at work that prevents users from viewing the index_html when the URL is in the second form? I assume Zope does some kind of forwarding from the directory to a default index document, but I cannot figure out which permission it is. As a workaround, I'm sure I can just make them link only to .../index_html, but that seems a bit kluge-y. Any help is appreciated... -Jake ----- Original Message ----- From: "Dieter Maurer" <dieter@handshake.de> To: "Jake Latham" <jlatham@datasplice.com> Cc: <zope@zope.org> Sent: Saturday, January 17, 2004 4:02 PM Subject: Re: [Zope] Need help with security and local roles w/ GRUF
Viewing is usually controlled by 2 permissions: "View" and "Access contents information". I expect, your customers should be able to do more than just view their own object...
When you describe clearer what you did and in what way this did not work, we may help you better.
Jake Latham wrote at 2004-1-16 13:45 -0700:
... We've got a Zope/Plone site where we want our customers to be able to log in, and be taken to their directory:
/Customers/ CustomerA/ CustomerB/ ... That much works fine. The problem is that we need to set up permissions so that the customers can only see their own directory, i.e. CustomerA cannot go poking around in CustomerB's folder, were they to type in the correct URL (or by mistake)
We've fiddled with various combinations of local roles and defining a new role - "Customer" to try and limit permissions, but we can't get it to work quite right. Perhaps we are not modifying the correct Permission? (We had been modifying the "view" permission).
Viewing is usually controlled by 2 permissions: "View" and "Access contents information". I expect, your customers should be able to do more than just view their own object...
When you describe clearer what you did and in what way this did not work, we may help you better.
-- Dieter